The Public Feed API provides a feed of user status updates and page status updates as they are posted to Facebook. Only status updates that have their privacy set to ‘public’ are included in the feed. The feed isn’t available via an HTTP API endpoint, instead updates are sent to your server over a dedicated HTTPS connection. The feed only includes basic data about the given post. From that basic data you may use the Graph API to request additional metadata to supplement the updates received through the public feed API.

Since users may delete or modify their privacy settings after posts are served, the API also sends reference to these actions. When you’re notified that a post has been removed or hidden, the post must be removed from your service within 24 hours, including any public displays of that post.

Getting Started

In order to start receiving updates from the public feed API, you will need to setup a HTTPS endpoint, where the API will POST all updates. Please note that this endpoint must have a valid SSL certificate that is NOT self-signed in order to receive updates. Once your HTTPS endpoint has been configured, provide this URL to your Facebook representative and confirm that you’re ready to start receiving the large volume of data that will be sent through the public Feed API.

If you have a firewall in front of your endpoint, please refer to our App Security developer documentation showing our current IP ranges and how to programmatically get this list.

Processing Updates

Once your service is enabled to receive updates from the public feed API, you will begin receiving public user status updates and page status updates, in near real-time, as they are posted to Facebook. These updates will be served in the form of XML-based objects that will provide your app with a basic set of information about the particular post. You may wish to also use the Graph API to request additional details about the post to supplement these objects.

Removing Posts

In order to use the public feed API, your app must properly process posts that indicate the removal of specific posts that were previously received. There are three cases in which such an update can be triggered:

A user changes the privacy for an individual post

A user changes their Search Engine account privacy settings for “Do you want other search engines to link to your timeline?”

A user changes their Follower Settings so they can no longer be followed by the general public

When there are posts to be deleted, the public feed API will notify your service by sending an update with the activity:verb type set to “/delete”. When you receive a delete, you must delete the affected posts.

User changes the privacy for an individual post

A person can change the privacy on an individual post that was previously set to “Public” to another privacy setting. They may also delete the actual post. When this situation occurs, the delete update will contain the “id” tag as part of the update. In this case, your service must delete that particular post from your service storage and from any places where it might be publicly posted.

The following is an example update that represents the case where the privacy level on a previously public user post to a level lower than “Everyone”:

User changes their Search Engine account privacy settings

In this case, the user has changed their Search Engine privacy setting that specifies whether search engines can link to the user’s timeline. When this situation occurs, the delete update will not contain the “id” tag as noted in the individual post case noted above. If the “id” tag is not included in the delete update, your service must delete all posts that have been received for this particular user. In this case, you must lookup all posts for that the user identified by the “fb:id” tag and then delete each of these posts.

The following is an example update that represents the case where the user has changed their Search Engine privacy settings: